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Abstract — In  this  paper,  we  study  the  problem  of  misbe¬ 
havior  detection  in  wireless  networks  .  A  commonly  adopted 
approach  is  to  utilize  the  broadcast  nature  of  the  wireless 
medium  and  have  nodes  monitor  their  neighborhood.  We 
call  such  nodes  the  Watchdogs.  We  propose  a  lightweight 
misbehavior  detection  scheme  which  integrates  the  idea  of 
watchdogs  and  error  detection  coding.  We  show  that  even 
if  the  watchdog  can  only  observe  a  fraction  of  packets,  by 
choosing  the  encoder  properly,  an  attacker  will  be  detected 
with  high  probability  while  achieving  throughput  arbitrarily 
close  to  optimal.  Such  properties  reduce  the  incentive  for  the 
attacker  to  attack. 

We  then  consider  the  problem  of  locating  the  misbehaving 
node  and  propose  a  simple  protocol,  which  correctly  locates 
the  misbehaving  node  with  high  probability.  The  protocol 
requires  exactly  two  watchdogs  per  unreliable  relay  node. 

I.  Introduction 

In  wireless  ad  hoc  and  sensor  networks,  paths  between 
a  source  and  destination  are  usually  multihop,  and  data 
packets  are  relayed  in  several  wireless  hops  from  their 
source  to  their  destination.  This  multihop  nature  makes 
the  wireless  networks  subject  to  tampering  attack:  a 
compromised/misbehaving  node  can  easily  ruin  data 
communications  by  dropping  or  corrupting  packets  it 
should  forward. 

Watchdog  mechanism  proposed  in  [3]  is  a  monitoring 
method  used  for  ad  hoc  and  sensor  networks,  and  is 
the  basis  of  many  misbehavior  detection  algorithms  and 
trust  or  reputation  systems.  The  basic  idea  of  the  watch¬ 
dog  mechanism  is  that  of  nodes  (called  watchdogs)  po¬ 
lice  their  downstream  neighbors  locally  using  overheard 
messages  in  order  to  detect  misbehavior.  If  a  watchdog 
detects  that  a  packet  is  not  forwarded  within  a  certain 
period  or  is  forwarded  but  altered  by  its  neighbor,  it 
deems  the  neighbor  as  misbehaving.  When  the  misbe¬ 
havior  rate  for  a  node  surpasses  certain  threshold,  the 
source  is  notified  and  subsequent  packets  are  forwarded 
along  routes  that  exclude  that  node  [3]. 

The  main  challenge  for  most  watchdog  mechanisms  is 
the  unreliable  wireless  environment.  Due  to  possible  rea¬ 
sons  such  as  channel  fading,  collision  with  other  trans¬ 
missions,  or  interference,  even  when  the  source  node 
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and  the  attacker  are  both  within  the  communication 
range,  the  watchdog  may  not  be  able  to  overhear  every 
transmission  and  therefore  may  be  unable  to  determine 
whether  there  is  an  attack. 

To  mitigate  the  misbehavior  of  the  malicious  nodes, 
a  watchdog  mechanism  must  achieve  the  following  two 
goals:  (1)  Malicious  behavior  in  the  network  should  be 
detected.  (2)  The  throughput  under  the  detection  mech¬ 
anism  should  be  comparable  to  the  throughput  without 
detection  if  there  is  no  attack.  These  two  goals  seem  to 
have  conflict  in  interest.  On  one  hand,  more  redundancy 
is  required  to  improve  the  probability  of  detection.  On 
the  other  hand,  higher  throughput  requires  redundancy 
to  be  reduced. 

In  this  paper,  we  show  that  both  goals  can  be  achieved 
simultaneously  by  introducing  error  detection  block  cod¬ 
ing  to  the  watchdog  mechanism.  The  main  contributions 
of  this  paper  are  as  follows: 

.  We  propose  a  computationally  simple  scheme  that 
integrates  source  error  detection  coding  and  the 
watchdog  mechanism.  We  show  that  by  choosing 
the  encoder  properly,  a  misbehaving  node  will  be 
detected  with  high  probability  while  the  throughput 
approaches  optimal,  even  in  the  case  when  the 
watchdog  can  only  overhear  a  fraction  of  the  packets 
and  an  omniscient  attacker,  i.e.,  the  attacker  knows 
what  encoder  is  being  used  and  no  secret  is  shared 
only  between  the  source  and  destination. 

.  We  also  propose  a  simple  protocol  that  identifies 
the  misbehaving  node  using  exactly  two  watchdog 
nodes  per  unreliable  relay  node.  We  show  that  our 
protocol  can  be  interpreted  as  a  maximum  likeli¬ 
hood  decision  making  scheme.  Finally  we  show  that 
with  multiple  rounds  of  detection,  the  probability  of 
correctly  locating  the  malicious  node  can  be  made 
arbitrarily  close  to  one. 

•  We  illustrated  the  effectiveness  of  our  schemes  with 
some  small  example  topologies,  and  we  also  show 
that  these  results  generalize  to  multihop  networks. 

The  remainder  of  the  paper  is  organized  as  follows.  We 
discuss  related  work  in  Section  II.  Section  III-A  illustrates 
the  ideas  using  a  simple  single  flow  network.  We  discuss 
the  more  interesting  two  flow  network  case  in  Section 
III-B  and  analyze  our  watchdog  scheme  with  error  de- 
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tection  codes.  In  Section  IV,  we  present  the  protocol  for 
locating  the  misbehaving  node  for  the  single  flow  and 
two  flow  network  cases.  Section  V  shows  that  the  results 
of  single  and  two  flow  network  case  can  not  be  improved 
for  multihop  routing  networks,  thereby  showing  that  the 
scheme  generalizes  to  multihop  networks.  We  discuss 
some  issues  related  to  implementation  of  the  scheme  and 
improving  the  performance  in  Section  VI  and  close  the 
paper  with  some  future  directions  in  Section  VII. 

II.  Related  Work 

To  ensure  the  reliability  of  packet  delivery,  trust  for 
ad  hoc  and  sensor  networks  has  been  investigated  in 
past  literature.  The  foundation  of  such  dynamic  trust 
systems  is  the  node  behavior  monitoring  mechanism, 
most  frequent  discussion  being  on  the  watchdog  mech¬ 
anism  [3].  The  main  idea  of  watchdog  was  promiscuous 
monitoring,  as  discussed  in  Section  I.  Once  a  node  is 
deemed  to  be  misbehaving,  the  source  would  choose  a 
new  route  free  of  misbehaving  node  with  the  aid  of  a 
"pathrater". 

A  variant  of  watchdog  mechanism  is  proposed  in  [4] 
where  next-hop's  behavior  is  measured  with  the  local 
evaluation  record,  defined  as  a  2-tuple:  packet  ratio  and 
byte  ratio,  forwarded  by  the  next-hop  neighbor.  Local 
evaluation  records  are  broadcast  to  all  neighbors.  The 
trust  level  of  a  node  is  the  combination  of  its  local 
observation  and  the  broadcasted  information.  Trust  level 
is  inserted  to  the  RREQ  (Route  REQuest).  Route  is  se¬ 
lected  in  the  similar  way  to  AODV  (Ad  hoc  On  Demand 
Distance  Vector)  [5].  Although  many  ad  hoc  trust  or 
reputation  systems  such  as  [6],  [7]  and  [8]  adopt  different 
trust  level  calculation  mechanism,  the  basic  processes  are 
similar  to  [4],  including  monitoring,  broadcasting  local 
observation,  combing  the  direct  and  indirect  information 
into  the  final  trust  level. 

Recently,  the  security  issue  in  network  coding  systems 
has  drawn  much  attention.  Due  to  the  mixing  nature  of 
network  coding,  such  systems  are  subject  to  a  severe  se¬ 
curity  threat,  known  as  a  pollution  attack,  where  attackers 
inject  corrupted  packets  into  the  network. 

Several  solutions  to  address  pollution  attacks  in  intra¬ 
flow  coding  systems  use  carefully  designed  digital  sig¬ 
natures  [9],  [10],  [11],  [12]  or  hash  functions  [13],  [14], 
which  allow  intermediate  nodes  to  verify  the  integrity 
of  combined  packets.  Packets  that  fail  the  test  will  be 
dropped  to  save  some  bandwidth.  Such  cryptographic 
solutions  largely  rely  on  either  the  private  key  being  kept 
secret  from  the  adversary  or  the  difficulty  to  reverse  the 
hash  function.  Non-cryptographic  solutions  have  also 
been  proposed  [15],  [16].  [17]  proposes  two  practical 
schemes  to  address  pollution  attacks  against  network 
coding  in  wireless  mesh  networks  without  requiring 
complex  cryptographic  functions  and  incur  little  over¬ 
head.  [18]  studies  the  transmission  overhead  associated 
with  the  schemes  in  [11],  [15],  and  [16]. 

[1]  and  our  earlier  work  [2],  propose  two  similar 
watchdog  schemes,  independently.  Authors  of  [1]  inves- 


Fig.  1.  A  single  flow  network.  The  thick  (directed)  lines  denote  a 
reliable  connection  from  the  tail  node  to  the  head  node,  a  dashed  line 
denotes  the  overhearing  and  a  blue  line  denotes  a  secure  asymptoti¬ 
cally  negligible  rate  channel  between  the  two  nodes. 

tigated  a  two-hop  network  which  is  similar  to  the  single 
flow  example  in  section  IV  of  [2]  and  section  III-A  of  this 
paper.  Both  schemes  introduce  redundancy  at  the  source 
of  data,  in  the  form  of  a  polynomial  hash  function  and 
MDS  (maximum  distance  separable)  code,  respectively, 
to  help  improve  the  detection  at  the  watchdog  node. 
Both  works  show  that  as  the  amount  of  redundancy 
increases,  the  probability  that  the  malicious  node  being 
undetected  approaches  zero.  Despite  the  similarities,  [2] 
was  the  first  work  that  identified  the  insufficiency  of 
linear  network  codes  in  achieving  secure  capacity,  to  the 
best  of  our  knowledge.  We  also  show  that  our  scheme 
can  achieve  the  same  optimal  throughput  as  if  there 
is  no  attack  while  the  malicious  node  is  detected  with 
high  probability.  One  small  difference  between  these 
two  works  is  that  [1]  assumes  that  the  hash  function  is 
strongly  protected  from  being  corrupted  by  the  channel 
while  we  assume  every  coded  packet  can  be  lost  over 
the  channel.  In  addition,  [1]  did  not  study  the  tradeoff 
between  security  and  throughput  when  one  watchdog 
node  is  monitoring  more  than  one  flow,  which  is  in¬ 
vestigated  in  section  V  of  [2]  and  reproduced  in  section 
III-B  of  this  paper.  Finally,  as  an  extension  of  [2],  this 
paper  also  proposes  a  scheme  to  identify  the  malicious 
node  when  the  watchdog  node  can  also  be  malicious 
and  accuse  other  nodes  arbitrarily,  while  [1]  assumes  the 
watchdog  node  is  always  reliable. 

III.  Detecting  Misbehavior 

In  this  paper,  we  focus  on  multihop  wireless  networks 
in  which  data  packets  are  transmitted  from  source  to 
destination  through  multiple  relay  nodes.  We  assume  no 
coding  is  performed  on  relaying  nodes  so  that  packets 
are  forwarded  as  they  are  received  at  the  relay  nodes.  In 
such  a  network,  a  node  W  can  be  assigned  as  a  watchdog 
for  a  relay  node  R  if  W  can  overhear  both  incoming 
and  outgoing  transmissions  to/from  R.  W's  duty  is  to 
compare  the  two  copies  of  a  packet  it  overhears  from 
both  R  and  its  upstream  neighbor,  and  to  report  an  attack 
to  the  source  or  destination  if  there  is  a  mismatch. 

We  are  interested  in  detecting  tampering  attacks:  we 
want  the  source  or  destination  to  be  able  to  detect  if 
there  are  misbehaving  nodes  in  the  network  sending 
corrupted  data.  Moreover,  we  will  focus  tampering  at¬ 
tack  detection  under  a  single  node  failures  adversary 
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(a)  Miss  detection  probability  v.s.  observe  probability  (b)  Miss  detection  probability  with  k  =  n+ 1  —  SI — 


Fig.  2.  Miss  detection  probability  in  the  single  flow  example. 


model,  i.e.,  the  adversary  can  compromise  at  most  one 
node  in  the  network  except  for  the  source(s)  and  desti¬ 
nation^).  If  a  watchdog  is  misbehaving,  the  only  way 
to  attack  is  to  report  an  attack  even  though  all  other 
nodes  are  well-behaving.  This  is  a  trivial  case  since  the 
source/ destination  always  knows  some  node  is  misbe¬ 
having  upon  receiving  the  report  of  attack  from  the 
misbehaving  watchdog.  So  it  is  more  interesting  to  look 
at  the  case  when  a  relay  node  misbehaves. 

Since  the  wireless  broadcast  channel  is  usually  unre¬ 
liable,  a  watchdog  node  may  only  be  able  to  overhear 
a  fraction  of  the  transmissions  to/from  the  node  it  is 
monitoring  for  reasons  such  as  channel  fading  and  in¬ 
terference.  As  a  result,  an  adversary  may  be  able  to  avoid 
being  detected  by  the  watchdog  with  high  probability  by 
keeping  the  fraction  of  packets  it  tampers  lower  than  a 
certain  threshold  Thwatchdog.  To  overcome  this  drawback 
of  watchdog  mechanisms,  we  propose  to  integrate  source 
coding  with  watchdogs:  the  source  node  encodes  the 
data  packets  with  some  error  detecting  code  and  sends 
the  coded  packets  through  the  multihop  network  with 
watchdogs.  By  applying  error  detecting  codes,  the  desti¬ 
nation  can  detect  an  attack  during  the  decoding  process 
with  high  probability  if  the  fraction  of  packets  tampered 
by  the  adversary  is  lower  than  a  certain  threshold  Thcode- 
Intuitively,  if  Thwatchdog  <  Thcode,  even  an  omniscient 
adversary  will  be  detected  with  high  probability  no 
matter  how  many  packets  it  corrupts.  Throughout  this 
paper,  we  assume  the  adversary  to  be  omniscient,  i.e.,  the 
adversary  has  complete  knowledge  of  the  misbehaving 
detection  mechanism  being  used,  and  there  is  no  secret 
between  the  source  and  destination  hidden  from  the 
adversary. 


denotes  a  secure  asymptotically  negligible  rate  channel 
between  the  two  nodes.  We  assume  that  all  links  (except 
for  the  blue  one)  have  the  same  transmission  rate  of  1 
packet  per  unit  time.  We  also  assume  an  optimal  cen¬ 
tralized  schedule  is  enforced  and  the  watchdog  W  knows 
what  to  compare.  Moreover,  we  assume  all  transmissions 
along  the  path  S-R-D  are  reliable  while  W  can  only 
overhear  both  transmission  of  a  packet  with  probability 

q  1- 

The  source  node  S  encodes  every  k  data  packets  into  a 
block  of  n  coded  packets  with  an  (n.  k)  MDS  (maximum 
distance  separable)  code.  We  assume  the  packet  size  is 
large  enough  so  that  an  MDS  code  always  exists  for  the 
desired  value  of  n  and  k.  With  an  (n.  k)  MDS  code,  an 
attack  will  always  be  detected  at  the  decoder  as  long  as 
no  more  than  n  —  k  packets  are  altered.  As  a  result,  R  has 
to  alter  at  least  n  —  k  +  1  packets  in  a  block  in  order  to 
avoid  being  detected  by  the  decoder.  And  since  the  more 
packets  R  tampers  the  more  likely  it  will  be  caught  by  W, 
it  is  of  R's  interest  to  just  attack  the  minimum  number 
of  packets  per  block:  n  —  k  +  1.  In  this  case,  it  is  easy  to 
show  that  the  probability  of  R  not  being  caught  is 

Pmiss(n,k,q)  =  (l~q)n-k+1.  (1) 


If  we  construct  a  (n,  k)  encoder  such  that 


k  =  n  +  1  — 


f(n,q) 

q 


From  Eq.  1  we  have 

Pmiss(n,M)<e-9(ri-fe+1) 
_  e -/(«,?) 


(2) 


(3) 


A.  Single  Flow  Case 

To  illustrate  the  idea,  let's  look  at  the  example  of  a 
single  flow  network  as  in  Fig.  1.  There  are  4  nodes  in  the 
network:  the  source  node  S,  destination  node  D,  attacker 
R,  and  the  watchdog  node  W.  The  thick  (directed)  lines 
denote  a  link  from  the  tail  node  to  the  head  node,  a 
dashed  line  denotes  the  overhearing  and  a  blue  line 


We  can  then  choose  the  function  f(n,  q )  appropriately  so 
that  we  can  make  Pmiss  arbitrarily  small  while  the  coding 
rate  k/n  approaches  arbitrarily  close  to  optimal  (1).  For 
example,  by  making  f(n,q)  =  j3  In  n  for  any  positive 

'Transmissions  along  the  data  path  is  usually  protected  by  channel 
coding  or/and  retransmission  mechanisms,  while  the  watchdog  can 
only  overhear  packets  opportunistically. 


4 


Fig.  3.  A  two  flow  network.  The  thick  (directed)  lines  denote  a  reliable 
connection  from  the  tail  node  to  the  head  node,  a  dashed  line  denotes 
the  overhearing  and  a  blue  line  denotes  a  secure  asymptotically 
negligible  rate  channel  between  the  two  nodes. 


constant  /3,  we  have 

Pmiss{n,k,q )  <  e-/31nn 

=  n-/3  — >  0  as  n  — >  oo  (4) 

And  the  coding  rate  becomes 

,  i  i  0  In  n 

k 

n  n 

,  1  din  n 

=  1  H - d  as  n->oo  (5) 

n  q  n 

So  we  can  reduce  the  incentive  for  R  to  attack  by  making 
n  large  and  choosing  (3  appropriately. 

Since  the  delay  to  verify  a  block  equals  the  time  it 
takes  to  transmit  n  packets  in  the  block,  tradeoff  between 
probability  of  miss-detection  and  n  is  of  interest.  Fig.  2(a) 
and  Fig.  2(b)  show  the  probability  of  miss-detection  with 
the  observe  probability  q  and  with  the  number  of  packets 
n  respectively.  We  can  see  that  by  integrating  a  watchdog 
and  error  detection  coding,  we  can  reduce  the  incentive 
for  the  attacker  to  attack  by  allowing  longer  delay. 

Notice  that  by  making  n  large,  the  coding/ decoding 
complexity  increases.  In  the  case  complexity  is  a  concern, 
the  source  can  scramble  coded  packets  of  multiple  (n,  k) 
encoded  blocks  and  transmit  these  packets  in  a  random 
order.  By  doing  so,  the  attacker  will  have  to  corrupt  more 
packets  in  order  to  destroy  a  particular  block,  which 
makes  it  easier  to  be  detected  by  the  watchdog. 


B.  Two  Floivs  Case 

In  III-A,  we  have  illustrated  the  effectiveness  of  source 
coding  on  top  of  watchdog  mechanisms  by  a  single  flow 
example  with  a  centralized  optimal  scheduler.  In  this 
section,  we  will  study  the  trade-off  between  through¬ 
put  and  security  in  a  more  practical  setting:  there  are 
multiple  data  flows  in  the  network  and  a  distributed 
random  access  MAC  protocol  is  used.  In  the  following 
example,  we  show  that  the  proposed  scheme  achieves 
a  high  level  of  security  while  maintaining  a  reasonably 
good  throughput. 


Consider  the  network  shown  in  Fig.  3  with  two  flows: 
Si  —  R\  —  D\  and  S2  —  R2  —  D2-  Suppose  the  flows  are 
far  enough  away  from  each  other  so  there  is  no  inter¬ 
flow  interference,  but  the  watchdog  W  is  sitting  between 
the  flows  and  can  overhear  transmissions  on  all  the  four 
links.  So  even  though  a  transmission  is  successful  along 
its  path,  it  may  collide  with  packets  from  the  other 
flow  received  at  W.  We  assume  a  slotted  aloha  access 
protocol  with  access  probability  a  is  used.  To  simplify 
the  analysis,  we  further  assume  that  a  node  will  access 
the  channel  by  transmitting  dummy  packets  when  it  has 
no  data  packet  to  send.  Under  these  assumptions,  we  can 
compute  the  throughput  of  each  flow  and  the  probability 
W  can  compare  a  particular  packet  as 


T  =  a(l  —  a), 

(6) 

q=  (1  -  a)5. 

(7) 

The  exponent  in  Eq.  7  is  5  because  given  that  the  trans¬ 
mission  from  S i  to  fi\  is  successful,  W  can  overhear  it  if 
neither  S2  nor  R2  transmit  which  occurs  with  probability 
(1  —  a)2.  To  compare  this  packet,  W  should  overhear  the 
transmission  from  R\  to  D\  too,  which  happens  with 
probability  (1  —  a)3  for  S\,  S2  and  R2  to  remain  silent. 

Similar  to  the  single-flow  example,  we  can  make  I\n\ss 
arbitrarily  small  by  choosing 


k  =  n  +  1  — 


plan 
(1  -a)5' 


(8) 


And  the  effective  throughput  is 


Te  =  Tx 


=  q(1 


k 


n 

-aXt  +  i) 


a/3  In  n 
(1  —  a)4n’ 


(9) 


In  Fig.  4(a)  and  Fig.  4(b),  we  plot  the  miss-detection 
probability  and  effective  throughput  when  the  error 
detection  code  is  chosen  according  to  Eq.  8.  We  only  plot 
the  result  for  a  <  0.5  because  further  increasing  a  will 
only  reduce  the  throughput.  We  can  see  from  Fig.  4(a) 
the  probability  of  miss-detection  increases  as  a  increases 
and  converges  to  roughly  n~P.  Since  the  higher  the  a  is, 
the  fewer  packets  the  watchdog  can  observe,  the  source 
has  to  sacrifice  coding  rate  in  order  to  maintain  a  certain 
probability  of  missing  an  attack  as  a  increases. 

As  it  is  shown  in  Fig.  4(b),  as  a  increases,  the  effective 
throughput  increases  up  to  a  certain  level  then  drops 
to  zero  as  a  gets  larger.  We  can  also  see  the  optimal 
access  probability  changes  according  to  the  value  of  n 
and  3:  the  larger  n  is,  the  higher  a  should  be;  the  larger 
(3  is,  the  smaller  a  should  be.  For  instant,  if  the  source 
does  not  perform  any  coding  (which  is  not  plotted  here), 
it  is  well  known  that  the  optimal  a  =  0.5  and  the 
per-flow  throughput  is  0.25  packet  per  slot.  In  the  case 
n  =  255  and  3  =  1,  the  optimal  a  is  about  0.35  and 
the  throughput  is  about  0.19  packets  per  slot.  Although 
the  throughput  is  higher  without  source  coding,  it  comes 
with  the  cost  of  not  being  able  to  provide  any  security 
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(a)  Miss  detection  probability  v.s.  channel  access  (b)  Effective  throughput  v.s.  channel  access  probabil- 
probability  ity 


Fig.  4.  Miss  detection  probability  and  effective  throughput  in  the  two  flows  example  with  k  =  n  +  1  —  ^^"5  ■  Where  the  curves  stop  means 
no  code  is  available. 


guarantee.  On  the  contrary,  our  scheme  guarantees  by 
upper  bounding  PmiSS  by  rC1 .  Our  scheme  provides 
a  method  to  optimize  the  balance  among  throughput, 
delay,  and  security 

IV.  Identifying  the  Misbehaving  Node 

In  the  previous  section,  we  have  studied  the  detec¬ 
tion  of  misbehavior  in  the  network.  While  misbehavior 
detection  is  essential  in  some  applications,  it  is  also 
important  to  identify  the  node  that  is  misbehaving  in 
order  to  avoid  that  node  in  future  transmissions.  The 
scheme  discussed  in  the  previous  section  cannot  deter¬ 
mine  which  node  is  misbehaving.  In  this  section,  we 
present  a  simple  protocol  that  identifies  the  misbehaving 
node  with  two  watchdogs.  This  includes  the  cases  when 
a  watchdog  node  is  misbehaving.  However,  we  show 
that  for  the  proposed  protocol,  the  adversary  has  no 
incentive  to  attack  the  watchdog.  In  particular,  if  the 
adversary  attacks  the  watchdog,  our  protocol  locates 
the  adversarial  node  deterministically  (with  probability 
equal  to  one).  However,  if  the  adversary  attacks  the  relay 
node,  our  scheme  is  guaranteed  to  locate  the  attacker 
with  a  probability  that  quickly  approaches  to  unity  with 
increasing  number  of  packets  transmitted. 

The  protocol  in  the  following  subsection  can  be 
viewed  as  several  nodes  making  a  decision  on  the 
correctness  of  the  message  transmitted  by  the  relay 
node.  The  protocol  can  be  visualized  as  the  maximum 
likelihood  decision  scheme,  and  as  we  show  in  the 
following  subsection,  gives  an  optimal  decision  based 
on  the  decisions  of  the  watchdogs. 

A.  The  Protocol 

Consider  a  relay  node  R  that  is  observed  by  two 
watchdogs  W\  and  W2  and  relays  the  information  from 
a  source  node  S  to  destination  node  D.  Assume  that  the 
source  node  employs  an  (n,  /.:)-MDS  code.  Assume  that 
each  source  packet  contains  a  unique  generation  num¬ 
ber  that  identifies  the  generation  to  which  a  particular 


Fig.  5.  Single  Flow  network  of  Fig.  1  with  an  extra  watchdogs.  The 
thick  (directed)  lines  denote  a  reliable  connection  from  the  tail  node 
to  the  head  node,  a  dashed  line  denotes  the  overhearing  and  a  blue 
line  denotes  a  secure  asymptotically  negligible  rate  channel  between 
the  two  nodes. 


packet  belongs  to.  Each  watchdog  in  the  network  decides 
whether  or  not  the  relay  node  is  misbehaving  based 
on  all  the  overheard  packets  that  belong  to  the  current 
generation  .  If  R  is  misbehaving  (one  of  the  n  packets 
transmitted  by  R  does  not  match  the  corresponding 
packet  transmitted  by  S),  it  transmits  a  "decision  bit" 
1  to  the  judge  node  2 ,  else  it  transmits  a  decision  bit 
0  to  the  judge  node.  We  assume  that  if  the  watchdog 
is  misbehaving,  it  may  transmit  a  0  or  a  1  for  any 
particular  relay  node  (same  watchdog  may  transmit 
different  decisions  for  different  relay  nodes).  Denote  the 
bits  received  from  W\  and  W2  by  w\  and  W2  .  The  judge 
node  collects  the  decision  bits  and  make  a  decision  as 
following: 

•  W\W2  =  11:  R  is  misbehaving; 

•  W\W2  =  10:  W\  is  misbehaving; 

•  w±W2  =  01:  W2  is  misbehaving; 

•  W1W2  =  00:  none  of  the  nodes  is  under  attack. 

2  A  judge  node  may  be  a  destination  node  or  the  source  node  or  both 
the  nodes.  In  case  of  the  destination  node,  it  may  decide  to  treat  the 
information  as  authentic  if  it  infers  the  relay  node  of  not  misbehaving. 
In  case  of  the  source  node,  it  may  decide  to  consider  the  path  S  — > 
R  — >  D  secure  if  it  infers  the  relay  node  to  be  not  misbehaving. 
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(a)  False  detection  probability  v.s.  channel  access  probability  (b)  Miss-detection  probability  v.s.  channel  access  probability 

Fig.  6.  False  location  probability  and  undetected  probability  in  the  single  flow  example  with  k  =  n  + 1  —  (flUs  •  Where  the  curves  stop  means 
no  code  is  available. 


We  remark  that  our  scheme  gives  a  decision  based 
on  maximum  likelihood  probability  of  a  particular  node 
misbehaving.  To  see  the  protocol  as  a  maximum  like¬ 
lihood  decision  making  scheme,  first  consider  the  two 
simple  cases  of  the  decision  bits  being  11  and  00:  in 
the  former,  the  relay  node  must  be  misbehaving,  else 
W\  and  W-2  can  not  both  detect  a  misbehavior  at  R 
(note  that  one  of  them  can,  if  that  particular  watchdog 
is  misbehaving,  it  could  pretend  that  the  relay  node  is 
actually  misbehaving).  And  in  the  latter,  there  is  no  way 
to  detect  which  node  is  misbehaving;  indeed  there  may 
be  no  misbehaving  node  in  such  a  case.  For  the  case 
of  01  (10),  note  that  if  the  attacker  is  at  W\  ( fly ),  W2 
( IT'i )  will  never  send  a  1.  Hence,  assuming  each  node 
can  be  misbehaving  with  equal  probability  and  the  miss- 
detection  probability  for  W\  and  fly  are  both  Pmiss,  it 
is  easy  to  compute  probability  of  each  node  misbehaves 
given  W1W2  =  01  as: 

Pwi\oi  =  0 

0  Fmiss  X  (1  f  truss ) 

fl|01  “  1  +  (Hmiss  X  (1  -  Pmiss )) 

PW2]01  =  1  +  (Hmiss  X  (1  -  Pmiss)) 

The  protocol  in  such  a  scenario  decides  that  the  watch¬ 
dog  sending  a  1  is  under  attack,  which  is  precisely  the 
maximum  likelihood  decision  given  such  a  configuration 
(note  that  Pw2\oi  >  -Pr|oi)- 

We  show  in  the  following  subsections  that  the  misbe¬ 
having  node  can  be  located  with  a  very  high  probability 
using  just  two  watchdogs.  We  finally  comment  on  how 
to  bring  the  probability  of  correct  location  detection 
arbitrarily  close  to  unity. 

Let  Pl\n  denote  the  probability  of  correctly  locating 
the  misbehaving  node  in  the  network  given  the  adver¬ 
sary  is  at  node  N  (where  N  may  be  R,  W\ ,  or  fly ); 
Pf\n  denote  the  probability  that  a  node  other  than  N 
is  accused  to  be  misbehaving  while  in  fact  N  is  the 
adversary;  and  Pu\n  denote  the  probability  when  the 
adversary  at  node  N  operates  undetected. 


B.  Performance  -  Single  Flow  Case 

For  the  single  flow  case,  only  one  extra  watchdog  is 
required  to  locate  the  adversary  in  the  network  (see 
Fig.  5).  We  employ  the  protocol  discussed  above  at 
destination  D.  Given  this  scheme,  we  have  the  following 
lemmas  characterizing  the  performance  of  the  protocol: 

Lemma  1:  In  single  flow  case  of  Fig.  5,  if  any  of  the 
watchdogs  is  misbehaving,  it  will  be  located,  i.e., 

Pl\w 1  =  Pl\w2  =  1 

Pf\w 1  =  Pu\Wi  =  Pf\w2  =  Pu\w3  =  0 

Proof:  Let  us  assume,  without  loss  of  the  generality, 
that  W\  is  misbehaving.  In  such  a  scenario,  W2  will 
always  send  a  decision  bit  0  to  I?  since  it  will  never 
overhear  any  incorrect  packet  being  transmitted  by  R. 
A  misbehaving  W\,  on  the  other  hand,  will  accuse  the 
relay  node  of  misbehaving.  Then,  the  received  decision 
bits  at  node  D  are  10.  Given  our  protocol,  D  will  decide 
that  R  is  a  reliable  node  and  hence,  the  node  W\  sending 
a  1  must  be  misbehaving.  Hence,  D  will  always  be  able 
to  locate  the  misbehaving  node.  ■ 

The  above  lemma  implies  that  the  adversary  has 
no  incentive  to  attack  either  of  the  watchdogs  in  the 
network.  Using  the  results  of  previous  sections,  this 
further  restricts  the  capabilities  of  the  attacker:  it  is  not 
only  restricted  to  attack  the  relay  node  but  also  needs 
to  corrupt  a  large  number  of  packets.  The  following 
lemma,  characterizes  the  performance  of  the  protocol 
when  the  relay  node  misbehaves  (corrupts  more  than 
( n  —  k)  packets  out  of  n  packets): 

Lemma  2:  In  single  flow  network  of  Fig.  5,  if  R  is 
misbehaving,  then: 

Pl\r  =  (1  —  -Pmiss) 

Pf\R  -  X  Pmiss  X  (1  Pmiss) 

PjJ\R  Pmiss 


7 


Fig.  7.  Two  Flow  network  of  Fig.  3  with  extra  watchdogs.  The  thick 
(directed)  lines  denote  a  reliable  connection  from  the  tail  node  to  the 
head  node,  a  dashed  line  denotes  the  overhearing  and  a  blue  line 
denotes  a  secure  asymptotically  negligible  rate  channel  between  the 
two  nodes. 

Proof:  Let  P  is  misbehaving  and  the  decision  bits 
sent  by  W\  and  W2  are  w\  and  u'2  respectively.  Then,  P 
goes  undetected  if  and  only  if  w\W2  =  00,  i.e.,  when  both 
the  watchdogs  miss  all  the  packets  corrupted  by  the  at¬ 
tacker.  Hence,  the  probability  of  R  operating  undetected 
is  l\i\  r  =  f  miss  x  Pmiss-  On  the  other  hand,  P  will  be 
detected  if  and  only  if  none  of  the  watchdogs  miss  any 
of  the  packets  corrupted  by  R,  i.e.,  w  1W2  =  11,  leading 
to  the  fact  that  PL \R  =  (1  -  Pmiss)  X  (1  -  PmiSs)- 

Finally,  the  case  of  false  detection  is  when  exactly  one 
of  the  watchdogs  miss  all  the  packets  corrupted  by  R, 
i.e.,  when  W1W2  is  either  10  or  01,  in  this  case  W\  or  W2 
is  detected  as  bad  (not  R).  This  gives  PF\r  =  Pmiss  x  (1  — 
Tmiss  )  +  Pmiss  X  (1  -  Pmiss)-  Notice  that  PF |fi  =  1  -  (Pl\r  + 
Pu\R )•  ■ 

The  probabilities  Pf\r  and  Pjj\r  are  plotted  in  Fig.  6(a) 
and  Fig.  6(b)  as  a  function  of  channel  access  probability 
for  k  =  n+l-J^. 

In  Lemma  2,  we  have  assumed  that  both  the  watch¬ 
dogs  have  the  same  probability  PmiSS.  This  might  not  be 
the  case  since  different  nodes  might  observe  different 
channel  conditions  due  to  being  at  different  locations. 
We  consider  this  case  in  the  following  subsection  but  the 
results  of  Lemma  2  can  be  modified  easily  to  incorporate 
such  a  difference  in  probability  of  W\  and  W2  missing 
the  detection  of  packet  modification  by  the  relay  node. 

C.  Performance  -  Two  Flows  Case 

In  this  section,  we  study  the  location  detection  of 
the  misbehaving  node  for  the  two  flow  case  of  Section 
III-B.  We  first  consider  the  case  when  the  destination 
nodes  may  collaborate  among  themselves  to  locate  the 
misbehaving  node  and  show  that  such  a  collaboration 
does  not  necessarily  reduce  the  connectivity  requirement 
and  /  or  improve  the  detection  probability  as  long  as  the 


misbehaving  node  is  not  oblivious  to  the  attack  detection 
mechanism.  We  then  show  that  the  case  of  two  flow 
network  reduces  to  the  case  of  multiple  single  flows  with 
appropriate  modifications  to  the  probabilities  of  missing 
an  attack  at  the  watchdog  nodes. 

Assume  that  the  two  destinations  D\  and  D2  collab¬ 
orate  among  themselves  (share  a  few  bits  in  order  to 
locate  the  misbehaving  node)  and  that  the  misbehaving 
node  is  oblivious  to  any  attack  detection  mechanism  in 
the  network.  This  means  that  if  the  watchdog  W2  is  the 
misbehaving  node,  it  will  send  decision  bits  1  to  both  D\ 
and  D2.  However,  since  there  is  a  single  adversary  in  the 
network.  Pi  and  P2  cannot  be  both  misbehaving.  If  D\ 
and  P>2  both  receive  1  from  W2  they  will  (collaboratively) 
decide  that  W 2  is  the  misbehaving  node.  On  the  other 
hand,  if  Pi  or  P2  is  misbehaving,  W2  sends  a  1  to  the 
corresponding  destination  node  and  a  0  to  the  other 
destination  node,  which  will  certainly  imply  that  the 
corresponding  relay  node  is  under  attack  (assuming  that 
W2  is  oblivious  to  the  attack  detection  mechanism). 

Notice  that  in  the  above  case,  we  do  not  need  W\ 
and  W3  for  locating  the  misbehaving  node.  The  problem 
arises  when  the  misbehaving  node  knows  that  an  attack 
detection  scheme  is  being  employed  in  the  network.  In 
such  a  case,  the  misbehaving  node  (at  W2)  may  send  a 
decision  bit  1  to  one  destination  node  (say  Df)  and  a  0  to 
the  other  destination  node,  making  D\  (incorrectly)  think 
that  Pi  is  actually  misbehaving.  In  such  a  case,  we  need 
Wi  and  W3  to  be  able  to  correctly  decide  the  location 
of  the  adversary.  Note  that  the  above  discussion  implies 
that  even  if  several  judge  nodes  start  collaborating,  at 
least  two  watchdogs  are  required  to  correctly  locate  the 
misbehaving  node.  Hence,  collaboration  of  judge  nodes 
does  not  help  in  reducing  connectivity  requirements 
and  / or  devising  a  better  attack  detection  scheme. 

Notice  that  the  above  discussion  of  collaborating  judge 
nodes  also  captures  the  multipath  transmission  mecha¬ 
nism  where  a  source  node  might  relay  the  information 
to  the  same  destination  via  multiple  relay  nodes  (see  Fig. 
8).  Hence,  to  (correctly)  locate  the  misbehaving  node,  the 
connectivity  requirements  for  the  network  is  every  relay 
node  being  monitored  by  at  least  two  watchdogs.  We 
derive  the  results  for  the  two  flow  case  when  the  judge 
nodes  do  not  collaborate  but  as  discussed  above,  these 
results  hold  even  if  the  judge  nodes  collaborate  among 
themselves. 

If  the  destination  nodes  do  not  collaborate,  then  the 
decision  made  by  any  of  the  destination  nodes,  say  D lr 
is  dependent  only  on  the  decision  bits  of  the  watchdogs 
observing  the  corresponding  relay  node,  i.e.,  W\  and  W2 
for  D 1  (similar  remarks  hold  for  D2).  This  in  turn  means 
that  each  destination  node  individually  behaves  as  if  it 
is  participating  in  a  single  flow  network.  However,  as 
discussed  earlier,  it  might  be  the  case  that  the  watchdogs 
W\  and  W3  have  probabilities  of  detection  different  from 
that  of  FT2.  The  following  lemmas  hold  for  the  case 
of  two  flow  network  of  Fig.  7,  where  we  denote  the 
probabilities  of  missing  an  attack  at  the  relay  node  for 


watchdogs  W\  and  W3  are  PmiSS,  1  and  that  of  W2  is 
Pmiss,  2* 


Fig.  8.  Corresponding  network  for  the  two  Flow  network  of  Fig.  7 
when  the  judge  nodes  collaborate  among  themselves.  Also  captures 
the  multipath  routing  case  when  S  relays  the  information  to  D  via 
multiple  relay  nodes. 

Lemma  3:  In  the  two  flow  case  of  Fig.  7  with  our 
protocol,  if  the  attacker  attacks  at  any  of  the  watchdogs, 
it  will  be  located,  i.e., 

Pl\w 1  =  Pl\w2  =  1 

Pf\Wi  =  Pjj\Wi  =  Pf\w2  =  Pu\w2  =  0 

Proof:  Similar  to  Lemma  1,  collaboration  of  destina¬ 
tion  nodes  does  not  play  a  role.  ■ 

Lemma  4:  In  the  two  flow  case  with  our  protocol,  if 
the  adversary  attacks  R\  or  R2,  then: 

Ph\Ri  =  Pl\R2  =  (1  —  Pmiss,  l)  x  (1  —  Pmiss,  2) 

Pf\Ri  =  Pf\R2  =  miss,  1  T  Pmiss,  2  2  X  /puss,  1  Pniss,  2 

Pu\Ri  =  Pu\R2  =  Pmiss,  1  x  Pmiss,  2 

Proof:  Similar  to  Lemma  2,  collaboration  of  destina¬ 
tion  nodes  does  not  play  a  role.  ■ 

R0  Rl  P2  t?3  Rn-l  Rn 

Fig.  9.  A  multi-hop  flow  where  Ro  is  the  source,  Rn  is  the  destination 
and  each  Ri  behaves  like  a  watchdog  for  node  Ri+i.  This  network 
requires  at  least  one  more  watchdog  per  unreliable  node  to  locate  the 
misbehaving  node. 

V.  Multihop  Routing 

In  the  above  sections,  we  have  shown  that  for  each 
S  — >  R  — >  D  flow,  we  need  two  watchdogs  per  flow 


to  locate  the  misbehaving  node  in  the  network.  In  this 
section,  we  show  that  this  result  generalizes  to  multihop 
flows.  In  particular,  consider  the  multihop  flow  shown  in 
Fig.  9  where  Rq  is  the  source  node,  Rn  is  the  destination 
node  and  information  is  relayed  via  relay  nodes  R\  to 
Rn-i-  We  assume  the  links  are  bidirectional  symmetric 
such  that  each  relay  node  Ri  behaves  like  a  watchdog 
for  relay  node  R,+i-  We  do  not  loose  any  generality  with 
such  an  assumption,  since  any  watchdog  watching  relay 
Ri+i  must  listen  to  both  R,  and  Ri+\.  We  show  that  in 
spite  of  Ri  watching  R,+i,  we  need  at  least  one  more 
watchdog  per  unreliable  path. 

Without  loss  of  generality,  assume  that  R2  is  com¬ 
promised  by  the  adversary  and  assume  that  there  is 
no  other  watchdog  other  than  Ri  that  is  watching  f?2- 
There  are  three  ways  the  adversary  can  attack  the  data 
communication: 

•  f?2  corrupts  the  packets  and  claims  that  R3  is  mis¬ 
behaving:  In  such  a  case  both  R\  and  R2  claim  their 
next  hop  neighbor  is  misbehaving; 

•  f?2  only  corrupts  the  packets:  In  such  a  case,  R\ 
claims  that  R2  is  misbehaving; 

•  f?2  only  claims  that  R3  is  misbehaving:  In  such  a 
case,  Ri  will  not  claim  that  R-j  is  misbehaving  since 
f?2  relays  all  packets  correctly. 

Since  at  most  one  node  can  be  misbehaving,  it  is  easy 
to  see  that  the  only  possible  reason  for  the  first  case 
is  that  i?2  misbehaves.  So  if  two  nodes  claims  their 
next  hop  neighbor  misbehaving,  the  judge  node  can 
always  correctly  identify  the  misbehaving  node  to  be 
the  one  with  a  larger  index.  However,  if  only  one  node 
declares  an  attack,  there  is  no  way  for  the  judge  node  to 
differentiate  the  latter  two  cases. 

Hence,  the  strategy  adopted  by  the  misbehaving  node 
in  multihop  flows  is  either  to  corrupt  the  packets  or 
claim  that  the  node  it  is  watching  is  misbehaving,  but 
not  both.  In  such  a  case,  we  will  need  at  least  one  extra 
watchdog  per  unreliable  path  to  draw  correct  inferences 
about  the  misbehaving  node:  For  example,  if  we  have 
one  watchdog  node  that  can  compare  the  information 
transmitted  by  Rq  (say  dt)  and  transmitted  by  Rn-i  (say 
dr).  Indeed,  if  dt  =  dr,  the  relay  node  that  claims  another 
node  to  be  misbehaving  is  indeed  the  misbehaving  node. 
On  the  other  hand,  if  dt  dr,  then  the  relay  node  which 
is  being  accused  of  misbehaving  is  indeed  misbehaving. 
In  the  case  there  is  no  such  node  that  can  overhear 
transmissions  from  both  the  head  (Rq)  and  tail  (Rn- 1) 
of  the  multihop  flow,  we  need  more  than  one  watchdog 
each  of  which  can  overhear  the  incoming  and  outgoing 
transmissions  of  a  segment  of  the  path  such  that  the 
union  of  all  the  segments  monitored  by  the  watchdogs 
is  the  whole  path. 

VI.  Multiple  Transmissions:  Improving 
Performance  &  Confidence 

In  this  section,  we  discuss  the  benefits  of  watchdog 
mechanisms  with  source  error  detection  coding  over 
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multiple  rounds  in  two  contexts:  improving  the  prob¬ 
ability  of  correct  location  detection,  and  incentives  for 
watchdog  nodes  to  avoid  selfish  behavior. 

Recall  from  Section  IV-C  that  Pl\r  =  (1  —  PmiSs,i)  x  (1  — 
Pmiss,i)-  If  the  location  detection  is  done  over  multiple 
rounds,  say  to,  then  P^  =  (1  -  P™isSjl)  x  (1  -  P™isS)2). 
Hence,  the  probability  of  correct  location  detection  can 
be  made  arbitrarily  close  to  unity  by  doing  location 
detection  over  multiple  rounds. 

Note  that  in  the  above  discussion,  we  have  assumed 
that  none  of  the  nodes  behave  selfishly.  While  the  relay 
nodes  have  no  incentive  to  behave  otherwise,  the  watch¬ 
dogs  are  inferred  to  be  misbehaving  even  when  they 
are  not  (with  probability  Pf\r)-  The  watchdog  nodes, 
hence,  have  an  incentive  to  always  transmit  a  decision 
bit  0  so  that  they  are  never  deemed  misbehaving.  Having 
location  detection  performed  over  multiple  rounds  gives 
enough  incentive  for  the  watchdog  nodes  to  avoid  such 
selfish  misbehavior. 

VII.  Final  Remarks 

In  this  paper,  we  have  studied  the  problem  of  mis¬ 
behavior  detection  in  wireless  networks.  We  propose  a 
lightweight  misbehavior  detection  scheme  which  inte¬ 
grates  the  idea  of  watchdogs  and  error  detection  coding. 
We  show  that  even  if  the  watchdog  can  only  observe  a 
fraction  of  packets,  by  choosing  the  encoder  properly, 
an  attacker  will  be  detected  with  high  probability  while 
achieving  throughput  arbitrarily  close  to  optimal.  We 
then  propose  a  simple  protocol  which,  by  using  just  one 
extra  watchdog  per  relay  node,  locates  the  misbehaving 
node  with  probability  approaching  to  unity. 

There  are  several  possible  extensions  to  the  results 
of  this  paper.  First,  our  results  may  not  directly  apply 
to  networks  that  have  several  misbehaving  nodes,  for 
example  if  both  the  relay  node  and  one  of  the  watchdogs 
are  misbehaving.  In  such  cases,  the  relay  node  can  alter 
the  packets  as  much  as  possible  without  being  detected 
as  long  as  the  faulty  watchdog  never  declares  an  attack. 

We  have  also  assumed  existence  of  a  reliable  channel 
between  the  watchdogs  and  the  judge  nodes  which  is 
used  to  transfer  the  decision  bits.  While  this  assumption 
is  quite  acceptable  since  only  one  bit  is  required  to  be 
transmitted,  the  relay  node  might  intentionally  interfere 
while  the  decision  bit  is  being  transmitted  from  the 
watchdogs  to  the  judge  node,  which  might  preclude  the 
judge  node  of  receiving  the  decision  bits.  It  would  be 
interesting  to  see  if  a  scheduling  mechanism  could  be 
enforced  to  limit  such  an  action  from  the  attacker. 
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